Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-0377

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.

Published

2025-01-21T16:15:14.290

Last Modified

2025-12-15T21:00:36.663

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-59

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	hashicorp	go-slug	< 0.16.3	Yes

References

https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack Vendor Advisory ([email protected])